Apple's iPad security breach reveals vulnerability of mobile devices

The security breach in a Web service used by Apple's iPad exposed the e-mail addresses of at least 114,000 owners and unique identification numbers the devices use to communicate with the phone network.
(Ryan Anson/afp/getty Images)

But in the mobile landscape, the iPhone, iPod Touch and iPad tablet -- all of which run the same operating system -- are so fancy and expensive and used by so many elites that they have become an irresistible challenge to hackers, as well as the security experts fighting against them.

In the first quarter of this year, Apple's devices had about 28 percent of the smartphone market, according to a report by Nielson. That compares to Research In Motion BlackBerry's 35 percent share, Microsoft Windows Mobile's 19 percent share and Google Android's 9 percent share.

Charlie Miller, principal analyst for Baltimore-based computer security firm Independent Security Evaluators, said that when Apple's iPhone debuted in 2007, the security was "pretty awful." Since then Apple has made several upgrades that do not allow any non-approved applications to run on its devices, and the operating system is made up of what's known as "sandboxes" to keep those who break in locked in one area so they can control only some features.

But problems keep cropping up.

In March, security experts discovered a flaw in the Safari browser on the iPhone that allowed them to steal someone's messages. Even worse, last year Miller found that he could send coded text messages that would allow him to take over someone's iPhone entirely.

"The user did not have to go a Web site or even be paying attention. The device could be sitting in your purse, and I could take over. I could track your location, send text messages, dial your phone. I could turn on the microphone to listen to what you're doing," Miller said.

Miller and a friend found the problem in about a week, when they were fiddling around with it for fun, for a hacking contest. "Imagine if it was a bad guy and not a good guy like me," he said.

The security experts guessed the sim card identification number, the ICC-ID, of iPad users, which they discovered are generally sequential, and input them into the unsecured AT&T site which told them which e-mail address was registered for that device.

Daniel Kennedy, a partner at Praetorian Security Group in New York City, said he thinks the top problem with the breach is that if hackers got access to someone's e-mail address and if they could find out the names of the person's wife, husband or other trusted associates, they could send malicious e-mails supposedly from that person, almost guaranteeing that they will open them. "It's similar to how the Chinese attackers supposedly got into Google," Kennedy said.

Escher Auernheimer, a 24-year-old high school dropout from Los Angeles who is part of the nine-member Goatse group, said they destroyed the data after they finished studying the flaw and never used the information access for any illicit purpose. He said neither he nor any others involved has been contacted by the FBI.

"This disclosure needed to be made. iPad 3G users had the right to know that their e-mail addresses were potentially public knowledge so they could take steps to mitigate the issue," the group wrote in a blog post Friday.

But, Auernheimer pointed out, the iPad 3G has been on sale since late April and it's possible that someone else swiped the data before the problem was fixed. "No one is putting a lot of thought into mobile security," Auernheimer said in a phone interview. "I think they need to start to."